The Never Ending Open Source Security Debate Drags On
On a top secret mailing list I participate in, there was some recent discussion about a recent article published by Fortify slamming the Open Source community for failing to adopt software security (you can find the article on the Fortify website). Here’s what I posted to the list (identities masked to preserve secret identities):
I just downloaded and read the Fortify study. It’s more of a white paper than it is science, but it is reasonably well presented and seems not to be too terribly fluffy. You can download a copy for yourself from the Fortify website. In the end what we have is some evidence that there are some open source projects that are behind the curve from a security perspective. I don’t think this should come as a surprise to anyone.
Some specifics based on other postings:
[DoD open source guy] sez>> First, it’s Java-heavy.
This is true. As far as I know, all of Fortify’s open source work has been Java-based (see the Java Open Review project). I don’t see why this impacts the results very much. Though open source Java projects may be a bit less responsive to security, the conclusions in the report are clear about just what set of projects were considered. Then again, I am not at all sure what methods were used to pick 11 out of 101 JOR projects.
[Apache leader] sez>> My experience on the security team at Apache…
Incidentally, when it comes to the results reported, Apache (Tomcat) is the only one of the eleven projects that is reported to have security-specific email, links to security info and access to security experts. One the other hand Apache (Struts) is reported not to have these things, which [DoD open source guy] argues is misleading since the Apache ASF page has these things.
[crypto open source guy] sez >> A better summary would have been “Many developers still don’t care about security.”
Sadly this is true. However as an evangelist in the space I will point out that the commercial world appears to be making much better headway in software security than the open source community (present company excepted of course but I am donning my asbestos suit anyway). I think many of the reasons why commercial software has an unfair advantage were covered in a panel on open source and security that Peter Neumann, Fred Schneider, and I all participated in at Oakland in 2000 (I can dig up e-copies if anybody cares).
One project was singled out for good software security practice: Mozilla. Should we all try to be more like Mozilla?
The debate did not rage on on the top secret list, but it must be raging on somewhere, because Roger Thornton just posted a response to the Fortify blog which you cab read here.
Frankly I was hoping that we killed this thing dead at Oakland in 2000. Guess again!
August 1st, 2008 at 5:20 pm
“The Never Ending Open Source Security Debate Drags On a top secret mailing list I participate in”
Am I the only person who sees the irony of this? You’re talking about a secret mailing-list. In other words, “invite-only”. Also plague to any risks against the Trusted-Introducer model, including sockpuppets. The listserv probably runs on open-source software, which probably contains at least one security-related bug. Oh and the SMTP delivery is universally cleartext.
Even though you don’t mention the name of the list, or what qualifications it takes to join — thanks for re-posting some of the “secret information” on your blog for the rest of the world to see.
I think we have opposing views on this topic, but not in the regular, obvious way. I think Mozilla is the best example of bad software security practices. Try comparing SELinux to CA ACF2/TS as a better example of FOSS vs. Commercial.
Also, I think if the only lessons-learned that we can take out of the Fortify paper is that software risk applies to everyone — then yeah duh… we already knew that, ok?
I just saw it as a Fortify press release to stir up some discussion, especially by coordinating with Larry Suto.
August 2nd, 2008 at 4:57 pm
Hi Andre,
Thanks for your resonse.
If I were running the mailing list in question it would not be top secret. But I’m not. As it stands, the list has the usual signal to noise ratio (miniscule) and the added nonsense of various open source zealots arguing over how many angels fit on the head of a software license.
I’ve posted a couple of other thoughts to this blog spurred by that list, and I’m likely to do it again.
I’m not sure our views are in opposition when it comes to the Fortify postings. Hence the term “dust up”. TTL 250ms.
gem